A nice function to escape $_POST // what do you think about it

I'm using $_POST and aware about mysql exploit, I decided to use this function on the top of my page, therefore all POST will be safe: Can you tell me if I miss something and this function will really do the job as I think it will?

function clean_post(){
    if ( $_POST){
            foreach ($_POST as $k => $v) {
            $_POST[$k]=stripslashes($v);
            $_POST[$k]=mysql_real_escape_string($v);
            $_POST[$k]=preg_replace('/<.*>/', "", "$v");
        }
  }

  if ( $_COOKIE){
            foreach ($_COOKIE as $k => $v) {
            $_COOKIE[$k]=stripslashes($v);
            $_COOKIE[$k]=mysql_real_escape_string($v);
            $_COOKIE[$k]=preg_replace('/<.*>/', "", "$v");
        }
  }
开发者_开发知识库}

It will also remove all html tag, a safest option to output the result might be to use:

<pre>
  $foo 
</pre> 

Cheers!

Cheers!

I think it's a bad idea to do this. It will corrupt the data your users enter even before it hits the database. This approach will also encourage you to use lazy coding where you consistently don't escape data because you believe that all your data is already "clean". This will come back to bite you one day when you do need to output some unsafe characters and you either forget to escape them or you aren't really sure which function you need to call so you just try something and hope that it works.

To do it properly you should ensure that magic quotes is disabled and only escape data when necessary, using precisely the correct escaping method - no more, no less.

There are some problems with it.

First you apply functions on types that doesn't need them, your integers for example needs only a (int) cast to be secure.

Second you do not secure lenght, when you're requesting a '12 chars string' it would be a good idea to ensure you've got only 12 chars, and not 2048. Limiting size is really something your attackers will not like.

Third in your foreach loop you have a $v variable, you assign 3 times a function on $v to $_POST[$k]. So the 1st two assignements are lost when the 3rd occurs...

Then all the things previous people said are right :-)

The rule is apply the filter at the right moment for the right output. HTML output need an html filter (htmlspecialchars), but the database doesn't need it, it need a database escaping. Let's say you want to extract data from your database to build a CSV or a PDF, HTML escaping will make you life harder. You'll need CSV escaping at this time, or PDF escaping.

Finally it is effectively hard to remember if you are manipulating a data which is already well escaped for your output. And I recommend you an excellent read on Joel on Software about Apps Hungarian. The text is quite long, but very good, and the web escaping sequence is used as an example on why Apps Hungarian is good (even if System Hungarain is bad).

Hi this is my first answer for any question asked on web so please review it.

Put this code in top of your script and no need to assign these posted values to any variables for doing the same job of making the input data safe for database. Just use $_POST values as it is in your query statements.

foreach ($_POST as $k => $v) {                  
      if(!is_array($_POST[$k]) ) {       //checks for a checkbox array & so if present do not escape it to protect data from being corrupted.
          if (ini_get('magic_quotes_gpc')) {      
                $v = stripslashes($v); 
            }               

            $v = preg_replace('/<.*>/', "", "$v");           //replaces html chars
            $_POST[$k]= mysql_real_escape_string(trim($v));

        }
 }

Don't forget $_GET[]

if ($_POST OR $_GET)

Also you can add strip_tags()

I don't know whether your function is correct or not, but the principle is certainly incorrect. You want to escape only where you need to, i.e. just before you pass things into MySQL (in fact you don't even want to do that, ideally; use bound parameters).

There are plenty of situations where you might want the raw data as passed in over the HTTP request. With your approach, there's no ability to do so.

In general, I don't think it's that good of an idea.

1. Not all post data necessarily goes into MySQL, so there is no need to escape it if it doesn't. That said, using something like PDO and prepared statements is a better way, mysql_* functions are deprecated.
2. The regular expression could destroy a lot of potentially valid text. You should worry about things like HTML when outputting, not inputting. Furthermore, use a function like strip_tags or htmlspecilchars to handle this.
3. stripslashes is only necessary if magic quotes are enabled (which they shouldn't be, but always is possible)

When working with stripslashes I'd use get_magic_quotes_gpc():

if (get_magic_quotes_gpc()) {
    $_POST[$k]=stripslashes($v);
}

Otherwise you'll over-strip.